rlm_rest in 3.0.17: cert validation of HTTPS server not working

Alan DeKok aland at deployingradius.com
Mon Feb 11 15:27:21 CET 2019


On Feb 11, 2019, at 9:01 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> But when I transpose this into the rlm_rest config like
> this:
> 
> rest {
>        tls {
>                ca_file = ${confdir}/mods-config/rest/trustroot.pem
>                check_cert     = "yes"
> # doesn't work regardless if check_cert_cn is yes or no

  That should work, I think.

> [...]
> 
> Then I get an error message during FreeRADIUS' cert validation phase:
> ...
> (15) rest: ERROR: Request failed: 83 - Issuer check against peer certificate failed

  That error is from libcurl, which we use to do the whole HTTP thing:

https://curl.haxx.se/libcurl/c/libcurl-errors.html#CURLESSLISSUERERROR

> (15) rest: ERROR: Server returned no data
> rlm_rest (rest): Released connection (0)
> 
> I don't really know what to make of "Issuer check against
> peer certificate failed". The root appears to be recognised,
> and the intermedaite chain is the expected one. So what
> would be failing here?

https://curl.haxx.se/libcurl/c/CURLOPT_ISSUERCERT.html

  Which says:

>> A specific error code (CURLE_SSL_ISSUER_ERROR) is defined with the option,
>>  which is returned if the setup of the SSL/TLS session has failed due to a mismatch
>> with the issuer of peer certificate (CURLOPT_SSL_VERIFYPEER has to be set
>> too for the check to fail). 

  So rlm_rest says "please check issuer certificate", and libcurl says "failed to validate peer".

  Maybe libcurl is expecting the peer cert to be signed by the CA?  And instead it's signed by an intermediary CA?

  Try using the issuing CA instead of the root CA.

  Alan DeKok.




More information about the Freeradius-Users mailing list